(12) 



„ ~~ IllfiillUlllIIlll 

European Patent Office 

Office europeen das brevets (11) EP 0 743 620 A2 

EUROPEAN PATENT APPLICATION 



(43) Dateofpublcatton: 

20.11.1996 Bulletin 1996/47 



(21) Application number: 96108028.0 

(22) Date of filing: 20.05.1996 



(51) Into. 6 : G07C 13/00 



(84) Designated Contracting States: 
DE FR GB NL 



(30) Priority: 19.05.1995 US 444701 



(71) Applicant: NEC CORPORATION 
Tokyo (JP) 



(72) Inventors: 

• KJIian, Joseph J. 

Princeton Junction, NJ 08550 (US) 

• Sato, Kazue, 
c/o NEC Corp. 
Tokyo (JP) 

(74) Representative: Batten & Reach 
Relchenbachstrassa 19 



(54) Secure receipt-free electronic voting 

(57) A number-theoretic based algorithm provides 
for secure receipt-free voting. A vote generating center 
generates a choice of votes for each voter or vote 
chooser. The votes are encrypted, shuffled, and con- 
veyed to a vote chooser along with information regard- 
ing how the votes were shuffled without being 
intercepted en route. The information is preferably sent 



along untappable secure channels. The method can 
incorporate validification of generation and shuffling of 
the votes using chameleon commitment and interactive 
proofs. The invention can be realized by current-gener- 
ation personal computers with untappable channels and 
access to an electronic bulletin board. 
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Description 

Field of Invention 

Th present invention relates to a method and s 
apparatus useful for secure receipt-free electronic vot- 
ing and specifically, to number-theoretic based algo- 
rithms for secure receipt-free electronic voting. 

Background of the Invention 10 

The ultimate goal of secure electronic voting is to 
replace physical voting booths. Achieving this goal 
requires work both on improving the efficiency of current 
protocols and understanding the security properties that is 
these physical devices can provide. 

Recently, it is observed in an article by J.C. Benaloh 
et al, entitled "Receipt-free Secret-ballot Election," in 
STOC 94, pp. 544-553 (1994), that unlike physical, vot- 
ing protocols, nearly all electronic voting protocols give 20 
the voters a receipt by which they can prove how they 
voted. Such receipts provide a ready means by which 
voters can sefl their votes or by which another party can 
coerce a voter to vote in a certain way. 

Benaloh and Tuinstra give the first receipt-free pro- 2s 
tocol for electronic voting. In their scheme a trusted 
center generates for each voter a pair of ballots consist- 
ing of a "yes" vote and a "no" vote in random order. 
Using a trusted beacon and a physical voting booth the 
center proves to the public that the ballot indeed ao 
includes a well-formed (yes/no) or (no/yes) pair and at 
the same time proves to the verifier which pair it is The 
physical apparatus ensures that by the time the verifier 
is able to communicate with an outsider, the verifier can 
forge a proof that the ballot is (yes/ho) and also forge a 35 
proof that it is (no/yes). Thus, such a proof ceases to 
provide either proof as a receipt. 

Independently, Niemi and RenvaH tried to solve this 
problem in an article by Niemi et al, entitled "How to pre- 
vent buying of votes in computer elections" in ASIA- 40 
CRYPT '94, pp. 141-148 (1994). They also use a 
physical voting booth where a voter performs multiparty 
computation with all the centers. 

Both the Benaloh-Tuinstra and the Niemi- Rertvall 
protocols illustrate that receipt-free secure voting is pos- « 
sibie. However, their physical requirements are fairly 
cumbersome, and are not unlike those faced by partici- 
pants in physical elections. An important open question 
is precisely what physical requirements are necessary 
for achieving receipt-free secure voting. so 

In accordance with the teachings of the present 
invention, a secure receipt-free voting scheme is 
described with a more practical physical requirement, 
that is the existence of a physically secure untappable 



Summary of the Invention 

A secure receipt-free voting scheme is described 
where each voter does not leav evidence of how the 
voter voted by using a physically secure untappable 
channel. The term "untappable secure channel" refers 
to the fact that a message can be sent from a center 
without being accessed or detected by another party. 
Such an untappable channel is descrbed in an article 
by C. Bennett et al entitled "Quantum Cryptography" in 
Scientific American, vol. 267. no. 4. Oct 1992. pp. 50 to 
57. The end result of using an untappable channel is 
that neither the voter nor another party can show or 
prove how a vote was cast or what was the message 
that was sent. Once a message is sent or received, the 
content may be changed rendering proof of the mes- 
sage impossible. However, if the message is intercepted 
or detected in route or at the time of reception, the inter- 
cepting or detecting party can learn the content of a 
message prior to a time when a change was possfcle. 
Moreover, even if a non-secure channel is used, if the 
message travels along the channel without interruption 
or detection, by virtue of the protocol used in the 
present invention, determination of a particular vote 
after receipt at its destination is not possfcle. In other 
words, an untappable channel refers to the transmission 
of a message without interception or detection in route. 

In the following description, the term 'chameleon 
commitments' is used. A chameleon commitment is a 
message committing and decommiting protocol, where 
the committer can decommrt as the committer commit- 
ted, while the receiver can decommrt in any way, regard- 
less of how the committer committed. 

In accordance with the method of the present 
invention, there is a vote generating center, a vote 
counting center, and shutting centers to transfer mes- 
sages between the various centers and each voter. The 
method comprises the following three steps. 

The first step is the generation by a voter generat- 
ing center of a set of all possible votes for each voter. 
For simplicity, it will be assumed that the possfcle votes 
are two, namely 1-vote and 0-vote. For each voter /', the 
vote generating center posts encrypted 1 -votes and 0- 
votes in random order. The committer commits to the 
ordering using chameleon bit commitments. The center 
proves that the committer constructed the vote-pairs 
properly. The committer decommits the ordering only to 
the voter through an untappable secure channel. 

The second step is the transferring the vote from 
the vote generating center to the voter via the shuffling 
centers. Each shuffling center shuffles ttie two votes for 
voter / through a shuffle-net. The committer commits 
with regard to how the votes are shuffled using chame- 
leon commitments. Each shuffling center proves the 
correctness of its action. The committer reveals how the 
votes were shuffled only to the voter / through an untap- 
pable secure channel. 
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The second step is not mandatory, in which case 
the vote generating center may drectly send the vote to 
th voter through an ordinary channel. 

The third step is anonymous voting by the voter. By 
keeping track of the initial ordering of the pair, and how 
they were shuffled during the second step, each voter 
knows which vote is which. Each voter submits one of 
the received votes to the counting center through a 
secure anonymous channel. Then the counting center 
tallies the votes. 

Implementation of a secure anonymous channel 
can be found in an article by C. Park et al entitled "Effi- 
cient Anonymous Channel and Ail/Nothing Election 
Scheme" in Advances in Cryptology, Eurocrypt "93. 
1993, pp. 248 to 259. or in pending U.S. patent applica- 
tion serial number 08/376,568 entitled "Secure Anony- 
mous Message Transfer and Voting Scheme" which is 
assigned to the same assignees as the present inven- 
tion. Also, the invention results in a method which 
reduces the amount of communication and computation 
necessary to generate, transmit and check the proofs 
by combining multiple proofs into a single proof. 

The present invention will be best understood when 
the following description is read in conjunction with the 
accompanying drawing. 

Brief Description of the Drawing 

Figure 1 is a schematic illustration of a preferred 
embodiment for practicing the present invention; 
Figure 2 is a schematic illustration of message 
ttow; 

Figure 3 is a schematic illustration of a preferred 
embodiment for practicing the present invention 
with shuffling centers; 

Figure 4 is a schematic illustration of a message 

flow with shuffling centers; and 

Figure 5 is a schematic illustration of a shuffling 

center. 

Detailed Description of the Invention 

A preferred embodiment of a secure receipt-free 
voting scheme comprising the present invention will 
now be described with reference to Figures 1 and 2. In 
accordance with the scheme, the encrypted votes gen- 
erated by vote generating center 10 by vote construct 
process 26 are posted on an electronic bulletin board 1 3 
or other publicly accessUe messaging means. The 
encrypted votes are pairs of 1 -votes and O-votes, per- 
muted in random order, for each vote chooser 12(i). 
Then the vote generating center 10 secretly conveys to 
the vote chooser 12(i) through an untappable channel 
16(i) how the encrypted votes for vote chooser 12(i) is 
ordered. At the same time, the vote generating center 
10 needs to prove to the public that the vote was hon- 
estly generated and to the vote chooser that the center 
1 0 had not sent false information in the secret message. 



These proofs are achieved by following prove process 
20 as will be described below. 

The vote chooser 12(i) chooses its ballot using the 
secret messag from the vot generating center 10 

5 through a physically untappable channel 160). The vote 
chosen by the vote choosers 12(1). 12(2), ...12(<) are 
transferred anonymously through a secure anonymous 
channel to a vote counting center 15. The secure anon- 
ymous channel can be realized by the mixing centers 

w 14(1), 14(2), ...14(n). where encrypted votes are suc- 
cessively processed by tine mining centers until the vote 
counting center 15 provides as its output a randomly, 
untraceably ordered set of unencrypted votes and the 
outcome of the tally. Each vote generating center 10, 

is vote chooser 12(1), mixing center 14<I) and vote count- 
ing center 15 comprises a computing means, preferably 
a personal computer but it may also be a workstation or 
the like. 

Having set forth an overview of the scheme, the 
20 detail of vote construct process 26, prove process 20, 
and the information being transferred securely through 
untappable channel 16 will now be described. 

The vote generating center 10, by executing vote 
construct process 26, generates an encrypted pair of 0- 
2S vote and 1 -vote for each vote chooser 1 2(j). The center 
follows the vote construct process for each vote chooser 
I2(i) with independently chosen random numbers. 

The encrypted form of 1 -votes and 0-votes need to 
be appropriate for input to the anonymous channel. 
30 Preferably, the method and apparatus described in U. S. 
patent application 08/376,568 which is incorporated 
herein by reference, is used and the encrypted forms of 
1 -votes and 0-votes are selected to be: 

3S v°i =(g r " modp, m 0 -y f " mod p) (1) 

v) m (g r>1 mod p. m, •>/'* mod p) 

for independent random numbers r n and r e for vote 

40 chooser I2(i) and appropriately chosen common con- 
stants p, a. y. ™b and for all vote choosers. The vote 
construct process 26 comprises calculating the above 
formulas with randomly chosen numbers r A and r e . 
The vote generating center 10 posts on the bulletin 

45 board in the order of (v 0 ,. v\) with probability of one half 
and^ 1 ,-, ^otherwise. 

The prove process 20 comprises three algorithms, 
commitment 21. prove 1-0 22, and decommrtment 23. 
The algorithm commitment 21 is used to calculate and 

so post a chameleon commitment of the above ordering 
and a random sequence used in the succeeding prove 
1-0 protocol. The algorithm prove 1-0 is executed multi- 
ple times to prove that the center 10 generated the 
votes honestly, and the output is posted on bulletin 

55 board 13. The algorithm decommit 23 is used to decom- 
mrt the chameleon commitment committed in algorithm 
commit 21 . through an untappable secure channel. The 
specific algorithms of prove 1 -O and chameleon commit- 
ment/decommitment will be described below. 
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Th vote generating center sends an output of a 
decomrnrtter, which is a chameleon decommitment, to 
the vote chooser / through th untappable channel. 

The vote chooser 12(0 verifies the correctness of 
the prove 1-0 algorithm and the validity of decommit- s 
merits by verification process 24. If the correctness and 
validity are verified, the vote chooser 12(0 follows selec- 
tion process 25 and chooses either one of the 
encrypted votes on the bulletin board, which expresses 
its opinion. The vote chooser is able to choose correctly 10 
because it would know how the encrypted votes were 
ordered from the chameleon decommitment. 

The vote chosen by the vote chooser 1 2(/) will be 
input to a shuffle-net, together with other vote6 chosen 
by the other vote choosers. is 

Applying the scheme described above, a malicious 
party who coerces the vote chooser 12(i) to disclose its 
vote, will not receive a concrete proof of whether the 
chosen vote was a 1-vote or a 0-vote unless the vote 
generating center 10 is allowed to disclose the vote or so 
the secure channel 16(i) is tapped into. 

The algorithms prove 1 -0 and chameleon commit- 
mant/decommrtment will now be described. The prove 
1-0 algorithm involves a prover and a verifier. The 
prover is the vote generating center in this case. The ss 
verifier may be any entity, including vote choosers. The 
probabilistic behavior of the algorithm will be deter- 
mined by an output of a suitable hash function, but it 
may also be a random beacon. 

The algorithm comprises, given randomly permuted 30 
pair of ( \°! . v) ) generated and posted as equations (1), 
showing that they are indeed a pair of 1 -vote and 0-vote. 
Assume a random string has been committed using 
chameleon commitment to the vote chooser. 

35 

prove 1 -0 

1 The prover uniformly chooses r', r"and calculates 

^o( v °) = (fi'' modp, m 0 -y f ' mod p) *o 

£i(v 1 )-(5 r " nrod p. m, •y r "modp) 

and posts £o(A the order according to 

the committed string. 46 
2a. With probability I , the prover is asked to reveal 
r' and r". The verifier checks if £o(A is 
made consistently. 

2b. With probability \ , the prover is asked to reveal 
s1 ■ r n - f and s2 = r /2 - r". The verifier checks so 
that vP and v) can be indeed generated from 
£ 0 (A using si, s2, g and y. 

The chameleon commitment scheme will now be 
described. The chameleon commitment scheme ss 
involves a sender and a receiver. The sender is the vote 
generating center in this case. The receiver are the vote 
choosers. 
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The following is explained in terms of committing a 
single bit 0 or 1 , but can be easily transformed to com- 
mit multiple bits and strings. In the scheme, th receiver 
is assumed to know a satisfying a - g* for public inte- 
ger a. 

Commitment Sender commits 0 by g r and a • g r 
for 1 to the receiver. 

Decommitment Sender reveals r. The receiver cal- 
culates both g' and a • g r and deter- 
mines what was the committed bit. 

In order to modify the decommitment, the receiver 
may claim it received t - a instead of r, which is the ca6e 
when the sender committed the other value. 

A more detailed description of chameleon commit- 
ments can be found in article "Minimum Disclosure 
Proofs of Knowledge" by Brassard, Chaum and 
Crepeau in JCSS, pages 156-189, 1988. 

After the vote generating center decommitted its 
random siring, the vote chooser 12(i) may follow with 
invalidation process 27 to invalidate the commitment of 
the center. The invalidation process 27 comprises 
informing the center of the value a. so that the center 
also has the ability to provide false information after- 
wards, or to post the value a on a bulletin board 13. 

To make sure that the vote chooser has the ability to 
modify the commitments, that is, the vote chooser 
knows the exponent a, the interaction may occur 
between the vote generating center and each vote 
chooser, before the commitment is applied, or even 
before the start of voting. For example, the vote choos- 
ers may execute a cul-and-choose protocol to pick the 
constant a so that the vote chooser knows a with high 
probability. 

In order to make the receipt-free property more 
secure, it is possible to incorporate a shuffle net 11 
comprising multiple shuffling centers 11(1), 
11(2),...11(m), as shown in Figures 3 and 4. Each 
encrypted vote generated by vote generating center 10 
for vote chooser 12(0 is passed through shuffle net 1 1 
before reaching the vote chooser 12(/). As a result of 60 
doing, a malicious party would not be able to determine 
how the vote chooser 12(0 voted unless it colluded with 
all the shuffling centers and vote generating centers, or 
wiretapped every secret channel 17(1). 17(2), .. .17(m) 
between the shuffling centers and the vote chooser 
12(i). 

Each vote shutting center comprises a computing 
means, preferably a personal computer but it may also 
be a workstation or the like. 

The operation of the shuffle net and shuffling cent- 
ers will now be described. Shuffling center 11(/) proc- 
esses each message posted by the previous shuffling 
center 1 1 (/' - 1 ) (or the vote generating center 10, when 
/ = 1 ) and posts the results of process shuffle 30 (Figure 
5) in permuted order until the last shuffling center 1 1(m) 
posts the result of the shuttling. Each shuffling center 
conveys how the votes were shuffled to the vote 
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chooser through an untappable secure channel 170). 
Each shuffling center proves rt shuffled honestly and did 
not provid false information to the vote chooser in a 
manner similar to that of the vote generating center, 
which is achieved through executing process prove 31 . 5 

Figure 5 illustrates the operation of a shuffling 
center 110). The shuffling center 11(i) executes the 
processes shuffle 30 and prove 31 and posts the out- 
puts. The process prove 31 comprises an algorithm 
commitment 32 which chameleon commits the random to 
string to the vote chooser. 

The process prove 31 further comprises three algo- 
rithms: commitment 32, prove shuffle 33, and decom- 
mitment 34. 

In order to describe the process shuffle 30, let the ts 
input be encrypted shuffled votes, which are presented 



20 

X 2 =(S V S a ) 

The algorithm shuffle comprises generating a ran- 
dom number o, and and shuffling the encrypted 
votes X, and as 25 

S(Xi)-(A,-g c ' modp, A 2 -y c ' moa P) ( 2 ) 

S(X 2 ) - (B, • g c * mod p, S 2 • y° z mod p) 

30 

and posting S(X,) and S(X 2 ) in random order. 

This order and a random sequence to be used in 
the algorithm prove shuffle is committed using chame- 
leon commitment and posted on the bulletin board as 
the output of algorithm commitment 32. 35 

The algorithm prove shuffle 33 is used to prove that 
the shuffling center executed the algorithm shuffle cor- 
rectly. The prove-shuff le algorithm involves a prover and 
a verifier. The prover is the shuffling center in this case. 
The verifier may be any entity, including a vote chooser. 40 
The probabilistic behavior of the algorithm will be deter- 
mined by an output of a suitable hash function, but it 
may also be a random beacon. The algorithm com- 
prises a permuted pair of (S(X,), S(X 2 )), showing that 
they are indeed generated from inputs X, and X 2 as *s 
equations (2). Assume a random string has been com- 
mitted using chameleon commitment to the vote 
chooser. 

prove shuffle so 

1 . The prover uniformly chooses c\ c" and calcu- 
lates 

E(X 1 )-(A,«g c modp. A 2 -y c 'modp) ss 
E{X 2 )-(B^ -g°' modp, B 2 -y c modp) 



post E(Xf). £(X 2 ) in the order according to the com- 
mitted string. 

2a. With probability | , th prover is asked to reveal 
c' and c". The verifier checks if E(X,). E{X£ is 
made consistently. 

2b. With probability | , the prover is asked to reveal 
f, - c, - c' and r 2 - c 2 -c". The verifier checks 
that E(X 1 ) and E(X£ can indeed be generated from 
S[X,), S(X2) using f,. f 2 , g and y. 

The encrypted votes posted by the vote generating 
centers are successively processed by the shuffling 
centers 11(1), 11(2), ...11(m) until the last center pro- 
vides as its output a randomly, untraceably ordered set 
of encrypted votes for each vote chooser. 

The vote chooser 12(i) chooses its ballot using the 
secret messages from the vote generating center and 
shuffling centers through untapped e secure channels 
16(0, 17(1).17(2), ...and 17(m). 

Invalidation of chameleon commitments of shuffling 
centers can be realized in a similar manner as invali- 
dated commitments of vote generating center. 

Having described a preferred method of practicing 
the present invention, preferred embodiments useful for 
practicing the invention will now be described. 

Figure 1 schematically illustrates a preferred 
embodiment for practicing the invention. The vote gen- 
erating center 10, vote choosers 12(1), 12(2). ...12(/), 
mixing centers 14(1). 14(2), ...11(n) and vote counting 
center 15 use personal computers or workstations con- 
nected to a conventional electronic bulletin board 13. 
There are untappable secure channels 16(1),16(2) 
...16(0 so that the vote generating center can send a 
secret message to each vote chooser. All elements 
(senders, verifiers, centers and the like) comprising the 
message transfer process interact by posting messages 
to and receiving messages from the bulletin board 13, 
except when the vote generating center sends decom- 
mitting messages to vote choosers via untappable 
channel 16. The vote generating center or vote choos- 
ers or vote counting center can also serve as mixing 
centers or vote counting centers. The personal comput- 
ers either contain software to perform the method 
described above or alternatively contain in hardware or 
software embodiments of the elements described in 
Figure 2. 

Figure 2 illustrates how messages are transferred 
to achieve receipt-free voting. For each vote chooser 
i2(i), vote generating center 10 generates encrypted 
votes using a vote constructor 26 as described above. 
The vote generating center then follows process prove 
20 which comprises algorithms commitment 21 , prove 
1 -0 22 and decommitment 23. The output of decommit- 
mentis sent to vote chooser 12(i) through untappable 
channel 16(i). Other outputs of the vote generating 
center 10 is posted on the bulletin board 13. The vote 
chooser 12(i) follows the processes verification 24 and 
selection 25, and outputs selected votes from the 
encrypted votes on the bulletin board. The selected 
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voles of all the vote choosers 12(1). 12(2) ...12(0 are 
anonymously transferred to vote counter 15 through 
anonymous channel 14. 

Figure 3 schematically ilustrates a preferred 
embodiment for practicing the invention with a shuffle 
net The vote generating center 10. vote shuffling cent- 
ers 11(1), 11(2), ...11(m). vote choosers 12(1), 12(2), 
...12(4. mixing centers 14<1). 14<2). ...11(n) and vote 
counting center 15 use personal computers or worksta- 
tions connected to a conventional electronic bulletin 
board 13. There are untappable channels 16(1),16(2) 
...16(0 so that the vote generating center can send a 
secret message to each vote chooser. There are also 
untappable channels 17(1). 17(2) ...17(m) so that the 
shuffling centers 11(1), 11(2), ...1l(m) can send a 
secret message to vote chooser 12(1) All elements 
(senders, verifiers, centers and the like) comprising the 
message transfer process interact by posting messages 
to and receiving messages from the bulletin board, 
except for the vote generating center or shuffling cent- 
ers which send decommrtting messages to a vote 
chooser via untappable channels. The vote generating 
center or vote choosers or vote counting center or shuf- 
fling centers can also serve as mixing centers or vote 
counting centers or shuffling centers. The personal 
computers either contain software to perform the 
method described above or alternatively contain in 
hardware or software embodiments the elements 
described in Figures 4 and 5. 

Figure 4 illustrates how messages are transferred 
to achieve receipt-free voting with a shuffle net. For 
each vote chooser 12(i), vote generating center 10 gen- 
erates encrypted votes which are posted on the bulletin 
board 13. Then shuffling center 11(1) reads encrypted 
votes from the bulletin board 13 and follows processes 
shuffle 30 and prove 31 . and output shuffled votes to the 
bulletin board 13, while sending a decommrtting mes- 
sage to vote chooser 12(i) through untappable channel 
17(1). Similarly, the succeeding shuffling centers read 
the proceeding centers output from bulletin board 13, 
and post its output to the bulletin board for the next shuf- 
fling center, while sending its decommrtting message to 
vote chooser 12(f) through untappable channel 17(1). 
The last shuffling center's output will be read by the vote 
chooser 12(i) , which follows the processes verification 
35 and selection 36, and outputs selected votes from 
the encrypted votes on the bulletin board. The selected 
votes of all the vote choosers 12(1). 12(2) ...12(0 afe 
anonymously transferred to vote counter 15 through 
anonymous channel 14. 

Figure 5 schematically illustrates a shuffling center 
11(i). The shuffling center follows process shuffle 30 
and process prove 31. Process prove 31 comprises 
algorithms commitment 32, prove shuffle 33 and 
decommrtrrtent 34. 

While there has been described and illustrated a 
preferred method and apparatus of secure receipt free 
electronic voting, it will be apparent to those skilled in 
the art that variations and modifications are posstole 
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without deviating from the broad teachings and spirit of 
the present invention. 

Claims 

5 

1 . A method of secure receipt-free voting comprising 
the steps of: 

(a) constructing votes for each vote chooser 
w which votes are posted on a bulletin board; 

(b) sending private messages to respective 
vote choosers without being intercepted; 

15 (c) the vote chooser choosing the vote and con- 

structing a message; 

(d) the message from the vote chooser reach- 
ing a vote counting center through a secure 

20 anonymous channel; and 

(e) the vote counting center counting the votes. 

2. A method of secure receipt-free voting as set forth 
25 in daim 1, where said sending private messages 

comprises sending via secure untappable chan- 
nels 

3. A method of secure receipt-free voting as set forth 
30 in claim 1 , further comprising the step of proving the 

correctness of the vote construction. 

4. A method of secure receipt-free voting as set forth 
in claim 3, where proving the correctness is per- 

35 formed by executing algorithm prove 1 -0. 

5. A method of secure receipt-free voting as set forth 
in claim 3, further comprising the steps of: 

40 (f) said constructing votes including committing 

a random string using chameleon commit- 
ments; 

(g) proving the correctness of the constructed 
45 votes by using committed bits; and 

(h) decommiting through a secure untappable 
channel. 

so 6. A method of secure receipt-free voting as set forth 
in claim 5, where proving the correctness is per- 
formed by executing the algorithm prove 1-0. 

7. A method of secure receipt-free voting as set forth 
55 in claim 5. further comprising the vote chooser 
invalidating chameleon commitment. 
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8. A method of secure receipt-free voting as set forth 17. A method of secure receipt-free voting as set forth 
in daim 7, where proving the correctness is per- in claim 16, where said sending a privat message 
formed by executing the algorithm prove 1 -0. comprises sending via a secure untappable chan- 
nel. 

9. A method of secure receipt-free voting as set forth s 

in claim 7, where th vote chooser invalidating cha- 18. A method of secur receipt-free voting as set forth 

me) eon commitment provides its secret key for con- in claim 3, where step (a) further comprises: 
structing votes to the bulletin board. 



10. A method of secure receipt-free voting as set forth io 

in claim 1 . where step (a) further comprises: (ii) sending a private message about the shuf- 
fling to the vote chooser without being inter- 

(i) shuffling the constructed votes; and cepted. 

(ii) sending a private message about the shuf- rs 19. A method of secure receipt-free voting as set forth 
fling to the vote chooser without being inter- in claim 18. where said sending a private message 
cepted. comprises sending via a secure untappable chan- 
nel. 

11. A method of secure receipt-free voting as set forth 

in claim 10, where said sending a private message 20 20. A method of secure receipt-free voting as set forth 

comprises sending via a secure untappable chan- in claim 10, further comprising the step of proving 

nel. the correctness of the shuffled constructed votes. 

12. A method of secure receipt-free voting as set forth 21. A method of secure receipt-free voting as set forth 
in daim 2, where step (a) further comprises: 25 in claim 20, further comprising the steps of: 

(i) shuffling the constructed votes; and (f) committing a random siring using chame- 

leon commitments; 

(ii) sending a private message about the shuf- 
fling to the vote chooser without being inter- 30 (g) proving the correctness of the shuffled con- 
cepted. struct ed votes using committed bits; and 

13. A method of secure receipt-free voting as set forth (h) decommiting without being intercepted, 
in claim 4, where said sending a private message 

comprises sending via a secure untappable chan- 35 22. A method of secure receipt-free voting as set forth 

nel. in claim 21 where said decommiting is through a 

secure untappable channel. 

14. A method of secure receipt-free voting as set forth 

in claim 5. where step (a) further comprises: 23. A method of secure receipt-free voting as set forth 

40 in claim 20, where said proving the correctness is 

(i) shuffling the constructed votes; and performed by executing the algorithm prove shuffle. 

(ii) sending a private message about the shuf- 24. A method of secure receipt-free voting as set forth 
fling to the vote chooser without being inter- in claim 21, where said proving the correctness is 
cepted. 45 performed by executing the algorithm prove shuffle. 

15. A method of secure receipt-free voting as set forth 25. A method of secure receipt-free voting as set forth 
in claim 1 4, where said sending a private message in claim 21 , further comprising invalidating the cha- 
comprises sending via a secure untappable chan- meleon commitment 

nel. so 

26. A method of secure receipt-free voting as set forth 

16. A method of secure receipt-free voting as set forth in claim 23, further comprising invalidating the cha- 
in claim 7, where step (a) further comprises: meleon commitment 

(i) shuffling the constructed votes; and 55 27. A method of secure receipt-free voting as set forth 

in daim 26, where the said invalidating chameleon 

(ii) sending a private message about the shuf- commitment indudes providing a secret key for said 
fling to the vote chooser without being inter- shuffling to the bulletin board. 

cepted. 
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28. An apparatus for secure receipt-free voting com- 
prising: 

a plurality of vote generating centers; 

5 

a plurality of vote choosers; 
a bulletin board; 

a vote counting center; 10 

said vote generating centers constructing votes 
for each said vote chooser which votes are 
posted on said bulletin board and said vote 
generating centers sending private messages 15 
to respective vote choosers without being inter- 
cepted; 

each said vote chooser choosing trie vote and 
constructing a message which reaches said 20 
vote counting center through a secure anony- 
mous channel: and 

said vote counting center counting the votes. 

25 

29. An apparatus for secure receipt-free voting as set 
forth In claim 28. where said vote generating cent- 
ers send private messages to said vote choosers 
via secure untappable channels. 

30 

30. An apparatus for secure receipt-free voting as set 
forth in claim 28, fun 



34. An apparatus for secure receipt-free voting as set 
forth in claim 30, furth r comprising: 

a shuffle net of shuffling centers for receiving 
said constructed votes; and 

each shuffling center in the shuffle net shuffling 
the votes and sending a private message to a 
vote chooser without being intercepted. 

35. An apparatus for secure receipt-free voting as set 
forth in claim 34. where each shuffling center sends 
a private message to a vote chooser via a secure 
untappable channel. 

36. An apparatus for secure receipt-free voting as set 
forth in claim 32. further comprising said shuffling 
centers proving the correctness of their vote con- 
struction. 

37. An apparatus for secure receipt-free voting as set 
forth in claim 36, further comprising: 

each shuffling center committing a random 
string using chameleon commitment and prov- 
ing the correctness of its vote using committed 
bits, and decommiting without being inter- 
cepted. 

38. An apparatus for secure receipt-free voting as set 
forth in claim 37 where said decommiting is through 



said vote generating center committing a ran- 
dom string using chameleon commitment; 35 
proving the correctness of the vote construc- 
tion using committed bits; and decommiting 
through a secure untappable channel. 

31. An apparatus for secure receipt-free voting as set *o 
forth in claim 30, further comprising said vote 
chooser invalidating the chameleon commitment. 

32. An apparatus for secure receipt-free voting as set 
forth in claim 28, further comprising: 46 

a shuffle net of shuffling centers for receiving 
said constructed votes: and 



39. An apparatus for secure receipt-free voting as set 
forth in claim 37, further comprising each vote 
chooser invalidating the chameleon commitment. 

40. An apparatus for secure receipt-free voting as set 
forth in claim 39, where each vote chooser invali- 
dating the chameleon commitment by providing its 
secret Key to said shuffling centers or to said bulle- 



each shuffling center in the shuffle net shutting so 
the votes and sending a private message to a 
vote chooser without being intercepted. 

33. An apparatus for secure receipt-free voting as set 
forth in claim 32. where each shuffling center sends 55 
a private message to a vote chooser via a secure 
untappable channel. 
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